Update (6-27-07): I just found out that the makers of aircrack-ng just made this method easier. Two days after I wrote this article, they released a VMWare image of their entire suite of wireless penetration tools. So, instead of downloading and using the generic BackTrack ISO (step 1 and 5) head over to Aircrack-ng and obtain their version.

Update II (6-27-07): I guess packet injection under Windows is feasible after all! The same time the VMWare aircrack-ng image was released, they also revealed a new USB WiFi adaptor that lets you inject and read packets natively in Windows without the virtualization layer. What's more, you can use the Wireshark GUI instead of the aircrack-ng command line. Personally, I would still go with the Alfa (read more below) since it has nantenna connector. But that's just me!

“...crack a WEP enabled access point within a couple of minutes. 3 minutes to be exact.”

That Digg article piqued our curiosity in high school. My friend and I read about how the FBI publicly demonstrated a successful wireless network crack in a minuscule amount of time. Inspired, we obtained a laptop and searched around our neighborhood for WEP encrypted wireless networks. Our plan was to show these local folks how easy it was to acquire their WEP key. Then, we would convince them that we were good, hirable technicians who could upgrade their WiFi WEP encryption scheme to WPA. We spent literally three days practicing, trying to crack our own network with Windows tools. But in the end, our plan never materialized. Why? We were too “n00b” for Linux.

Crippled Windows Users

I'll say it once and I’ll say it again, “I hate being a Windows user.” I hold great respect for computer hackers who are quick to grasp other operating systems, like Linux and OS X, without a problem. But I, having been weaned on Windows since the day I touched a computer, have a hard time operating those unfamiliar user interfaces … or lack thereof. I mean, more than half of Linux is in the shell command line!

Aircrack-ng Win32 Binary Port

Many users like myself have a hard time integrating with the computer hacker world. Most programs are written for *nix operating systems. Only when a kind, talented soul takes pity on us Windows amateurs and ports the code to Win32, are we able to use that software.

At the time, that Win32 software was almost non-existent for my friend and me. Even today, wireless network penetration software is still in the Linux stage. The main software suite, Aircrack-ng, is just barely supported in Windows. When I tried the Windows port, it was slow, it did not accept my drivers, and it crashed numerous times. Basically, the Win32 aircrack-ng suite was pretty unusable and unstable.

Virtualization Solution

Finally, I decided to just try aircrack-ng in Linux. I bought some equipment and ran the Backtrack Live-on-CD Linux Distribution. After reading up on numerous Linux and aircrack-ng documentation, I was finally able to crack my home network!

Frequently Asked Questions

So how did I do this? Before you begin my tutorial, I suggest you read this FAQ for background information.

Why aircrack-ng? Aircrack-ng is the most popular wireless cracking suite. Because of that, it is the most compatible with different types of hardware, it offers more forum support, and it is on the cutting edge of the latest WiFi hacking techniques.

What are the main elements in cracking a wireless network?Airodump-ng: Gather “special” “faulty” data necessary to crack a network.Aireplay-ng: Stimulate the base AP station to generate the “special” data for aireplay-ng.Aircrack-ng: Take the data from airodump-ng and, with statistical or brute-force dictionary analysis, crack the key/PSK.

Why is Windows inherently unable to crack wireless networks? Special (mostly unavailable) patched drivers are required to use these programs.

What about the Peek Driver? First of all, the Peek Driver is special software written by the WildPakets AiroPeek, sort of a wireless network version of Wireshark/Ethereal. The bad thing about the Peek Driver is that it only allows you to read packets. Essentially, you can only use airodump-ng and aircrack-ng. Theoretically, you can crack a wireless network with only these two programs but it is very difficult, drawn out, and plain inefficient. Without the speeding aid of aireplay-ng, cracking a wireless network may take days. Aireplay-ng helps inject packets and manipulate the wireless network.

Why does the Peek Driver not support aireplay-ng? This is because aireplay-ng requires the network card to be in a special state called “Monitor Mode.” In normal operation, the network interface is in “Managed Mode.” The Windows NDIS API (Network Driver Interface Specification) does not support any extensions for wireless monitor mode. Therefore, the only drivers that allow WiFi cards to be in monitor mode are in Linux.

I’ve heard of Windows tools that support packet injection. I have too. But I also heard that they cost upwards of $300 and they are not nearly as fast as aireplay-ng.

So then … there still is a way to use aireplay-ng in Windows with your hack? Yes. Basically, you run Backtrack as a virtual machine in VMWare Player. Since VMWare supports passthrough USB, the Backtrack virtual machine can directly access a compatible USB wireless network adapter. Note that my method will only work with a USB adapter since the only passthrough that virtual machine programs support is with the USB interface, not PCI, miniPCI, PCMCIA, PC Card, Express Card, etc.

So, I won’t need to know Linux commands and I will be presented with that familiar, friendly user interface that I am accustomed to in Windows? Heavens no! If you read the answer above, you know you will still be using Linux … in Windows. This is just a convenience of not having to switch between reboots. You will still be unable to avoid the obscure Linux shell commands!

Hardware

Let’s just cut to the chase. There is no reason to continue if you don’t even own the correct hardware. I’m sorry, but there is no workaround for this. I’m a frugal person and I tried doing this the frugal way. It just doesn’t work. If you’re not willing to open your wallet, I would stop reading now.

In my research and tests on compatible network adapters, there is only one with the least quirks and the least breakage for this operation. Get the Alfa USB AWUS036S Network Adaptor with the threaded RP-SMA antenna connector. USB WiFi adapters with antenna connections are almost impossible to find. Usually you have to solder and mod the circuitry of another adapter to gain this functionality. Save yourself some trouble and just purchase this one.

Data Alliance

Now, if you could only find where to buy this elusive piece of equipment. I found mine at DataAlliance, an online/eBay store managed by a man name George Hardesty. If you know of any other worthy store, please comment at the end of this post.

Hardesty supplies most of my wireless networking needs. His inventory is the most cutting edge (and cheapest) that I have come across. Take a look at his store. It includes one of the most comprehensive resources I’ve read on wireless networking. Nevertheless, don’t be tempted to purchase the high-powered Alfa USB AWUS036H WLAN Adapter. I’ve used it … twice! It breaks easily and it is noisy. Additionally, “high powered” isn’t always a good thing. The chipset amplifies noise interference. Therefore, the TX/RX signal gets distorted. You could also be waving a flag to the FCC to smack down a fine, especially if you are using a high-gain antenna. Worse case scenario, you’ll give yourself leukemia. We already have enough EMI as it is with computers and cell phones.

Use a *.vmx configuration file like this one and run it. You may have to tweak a couple of customizations to get it to work. The most important thing is that you enable USB passthough with “usb.present = "TRUE".”

I suggest that you install VMWare Tools as well. It makes VMWare integration with Windows a whole lot easier and faster. You’ll have to do some special extraction though. Read my previous article on VMWare Tools for more details.

When you are actually viewing the desktop of the BackTrack KDE X-Windows, plug in your USB network adapter. Windows will recognize and install it as a "VMWare USB Device." On the top of your VMWare window, you should see “Anonymous USB Device (Vendor: #### Product: ####)" highlighted. The "####" values will vary depending on the wireless USB interface hardware ID.

If it isn't highlighted or Windows is trying to install the driver for Windows use (like "Realtek Network Driver" not "VMWare USB Device") just click the "Anonymous USB Device" button and Windows will "disconnect" the device from Explorer and "reconnect" it in VMware.

After about a minute, open a console window verify that BackTrack recognized the hardware. Type, "iwconfig." If you see an interface (like "rausb0"), congratulations! You're in business!

In Closing

On attack techniques, I won't get into the details. There are enough tutorials online. For starters, read the aircrack-ng documentation. They just added a new “cracking tutorials” section. You'll learn a thing or two. Remember, pretty much any wireless attack you perform in Linux can also be done in this setup.

Technically, you still need a form of Linux in order to perform this workaround. However, it sure beats constantly rebooting to switch between operating systems. Windows users may find it comforting that they can always retreat to Explorer when things get scary. They don't have to fear that any real data can be lost or hardware destroyed.

Leave any questions or comments below about your experience with this hack. I'll try my best to answer them.

Update (6-27-07): I just found out that the makers of aircrack-ng just made this method easier. Two days after I wrote this article, they released a VMWare image of their entire suite of wireless penetration tools. So, instead of downloading and using the generic BackTrack ISO (step 1 and 5) head over to Aircrack-ng and obtain their version.

Update II (6-27-07): I guess packet injection under Windows is feasible after all! The same time the VMWare aircrack-ng image was released, they also revealed a new USB WiFi adaptor that lets you inject and read packets natively in Windows without the virtualization layer. What's more, you can use the Wireshark GUI instead of the aircrack-ng command line. Personally, I would still go with the Alfa (read more below) since it has nantenna connector. But that's just me!

I downloaded the aircrack vmware premade larger of two choices image and used Netgear WG111v2 and it worked with packet in jection using the rtl8180 driver. Been successful in cracking
wep with it. Got it at Best Buy. Somewhere on the web I found it uses the RT73 and it works. Used vmware 6.

Hi. I downloaded Vmware Player 2.0.1 build-55017, and aircrack-ng's vmware image (vmware-aircrack-ng-v2.7z) but unfortunely, the file doesn't hace an extension like .vmx or .vmc. ¿What do I have to do to play the image?

Hi, thnx for the new. Tried it with a netgear WG111v2 and it worked. I also tried it with a WG111v3 and that doesn't work. You can determine the version number with the serial number on the box. ***165 and *WG41 are good to go

Crippled Windows user indeed! Windows does it's best to hide the nuts and bolts of computing from the user. At the cost of doing what you want to do someone else's way, or being unable to do it at all.

*nix puts the hack back into hacking. You get as much, or as little control as you like, and if you're using open source, you can create your own customized solution by building upon the work of others.

And here's the cool part: It is stunning just how fasst some of that old hardware can be when you don't have to run a gui to make the software work.

its long time im looking for good and Linux + Aircrack-ng +Ethercap compatible USB adaptor ,finally i choose it after reading aircrack-ng documents and your article Aircrack/Aireplay-ng Under Packet Injection Monitor Mode in Windows and i choose
Alfa USB AWUS036S Network Adaptor but i cannot found anywhere to buy one

now my question is Alfa USB AWUS036S use Ralink rt73 chipset ,so if i buy another brand not alfa with Ralink rt73 chipset does it work perfectly like Alfa USB AWUS036S and easy to use ,plug and play in Backtrack and other linuxes.

Hi hacker not cracker, I know this blog page is from a while back now but I was wondering if you could clarify a few things for me. I have a RT73 USB chipset and I have located https://mypeek.wildpackets.com/driver_downloads.php which apparently has the appropriate drivers for my card to run packet sniffing/injection under windows, but I am failing to make sense of the list of drivers.
Also, have you discovered a more direct method of getting an RT73 working in windows? I find I am running around the whole internet just trying to locate a laymans guide to getting an RT73 working in windows with no luck so far so it would be good to get some clarification on whether I am barking up the wrong tree or not!
Thanks

No NEO, they are not the same. I just tried looking for the "S" version, and I can't find it anywhere, but I've seen proof that it's a seperate product. That's exactly what the picture in the article is.

Don't expect to find one, it looks like they're not made/distributed anymore. I looked on EBay, Amazon, and every other major online retailer-- and sadly, nothing.

During World War II, he co-wrote musical comedy shows to entertain servicemen, and
this led to an appearance on Milton Berle's show that launched his television career.
I stopped listening every week, when his amalgam
of comedy and political anger at the Bush Administration got
a little too heavy for me to bear. Proactol has become tested in
numerous clinical trials to prove its effectiveness and authenticity.

They are using templates and formats that are tried and tested.
This way, any interested client easily gets the idea
of what you are selling. So if you want to get started on the right track, you may want to join a good membership
site and they can hopefully help point you in the right direction.

All's I can do is tell you to listen to this song and ask whether you agree or not that "I Only Have Eyes For You" by The Flamingos doesn't have a distinct
sense of foreboding to it. Our sport app builders have
wide experience in this field and often prepared to just take challenges about revolutionary game
enhancement idea. I was not comfortable quite yet to bring
myself to drive on any other roads besides back roads.

Water has the power to waken the senses, and trickling
warm water can provide a sensuous edge to any sexual experience.
s not enough water, fill a bucket from another source and add.
Some of the basic instruments employed for this purpose
were PVC, Tubulum, Airpoles, Drumulum and Cimbalom to name a few.

Thanks for the marvelous posting! I genuinely enjoyed reading it, you're a great author.I will be sure to bookmark your blog and definitely
will come back from now on. I want to encourage
continue your great writing, have a nice day!

Since the majority of tennis instructors start off their careers
by coaching private lessons or smaller groups, they soon come to be very comfortable teaching their tennis drills
on an individual court. shut iin a participant is hit,
they need to carry up their 'rifle' as a proof tyat they newed een eliminated, at a similar time depart
from the sports ground. Others might say raising a happy family is thhe most important thing to
which we humans cann aspire.

Hi, Neat post. There is a problem along with your web site in web explorer, could
check this? IE still is the market leader and a huge section of other
people will pass over your great writing because of this problem.

[...] hack and cheats instrument is 100% operating, up to day and undetectable. You already know what you campus life game cheats iphone have to do. Obtain Campus Life hack instrument appropriate [...]

The other day, while I was at work, my cousin stole my apple ipad
and tested to see if it can survive a 25 foot drop, just so she can
be a youtube sensation. My iPad is now broken and she
has 83 views. I know this is entirely off topic but I
had to share it with someone!

Awesome blog! Is your theme custom made or did you download it
from somewhere? A design like yours with a few simple tweeks would really make my blog stand out.
Please let me know where you got your theme. Bless you

I've been browsing online more than three hours today, yet
I never found any interesting article like yours. It's pretty worth enough for me.
In my view, if all website owners and bloggers
made good content as you did, the net will be a lot more useful than ever before.

Its like you read my mind! You appear to know a lot about this, like you wrote the book in it
or something. I think that you can do with some pics to drive the
message home a bit, but other than that, this is great
blog. An excellent read. I will certainly be back.

You really make it appear really easy along with your presentation however I in finding this matter to be really something that I think I'd never understand.
It sort of feels too complex and extremely wide for me. I am taking a look ahead to
your next submit, I will attempt to get the hang of it!